Losing Session Variables

ShootingStar

When I use:

header("location: index.php");

my session variables are cleared.
Does anyone know how I can use the above line and maintain my session variables?

Many Thanks

ShootingStar

Weedpacket

If the session ID is not being stored on the client as a cookie, and if you have enabled trans_sid in php.ini, then you'll have to put the session ID into the URL yourself.

Also, you may want to look at some of the user comments on the [man]header[/man] manual page regarding session data.

liquorvicar

how are you passing your session ID from request to request? are you using cookies? tranparent sessionIDs?
you may need to do something like:

header("location: index.php?".strip_tags(SID););

have you got a session_start() in the right place?

ShootingStar

Ah - clearly I'm a newbie - I'm not passing the Session ID. I've had a quick look at the php manual - there two ways to pass the session - either through URL or cookies.

Cookies are not really ideal as they are not always available at the client. So I'm going to try to implement the URL method.

I see theres a function session_id() does this get populated by php when a new session is started? Or do I have to generate a unique ID and set the session ID to this myself?

Currently I have another file - global.php that has session_start() in it. I then include global.php at the beginning of all my pages.

So should I do the following:

if ($_REQUEST['SID']!="")
{
session_id($_REQUEST['SID']);
}
session_start();

This way if a SID is passed by through the URL its is set as the current session ID

liquorvicar

something like that, although i always use transparent SESSION IDs. you should read up about them in the manual. it removes the need to play about having the SESS_ID in your $_REQUEST variables.

ShootingStar

Thanks for the advice - I've tried searching the manual for info on transparent session IDs but I've not really understood much - do you have any links to anything or could u maybe explain the difference between using the session ID in the url and using transparent session ID and how they prevent the obvious security issue of session IDs in URLs?

liquorvicar

sorry, got myself all in a muddle over this.

transparent session ids - SID passed through $GET or $POST
cookie session ids - SID passed in a cookie

i was mixing the last option up with using the $_COOKIE superglobal.
i use the second option and have very few problems with use of cookies (on a very busy e-commerce site). most modern browsers know the difference between session cookies and permanent cookies.

AFAIK, session_start() will pick up any current session based on cookie or url.